FW: ipfw and nat problem

David van Rensburg - PC Network david at pcnetwork.co.za
Mon Jul 18 18:54:54 UTC 2011 

>Hi
>
>Yes sorry - I suppose I was assuming that goes without saying.
>Will open 443 for https and close 80 and do a transparent squid proxy
>which I got to wkr.
>
>I just cant seem to understand in and out.
>Does in mean INTO the BOX or into the specific interface what happens if
>you don¹t specify an interface when u say in or out?
>OR does in mean into the internal network from outside or just into the
>box?
>
>Please just elaborate on that for me ?
>
>David.
>
>On 2011/07/18 8:32 PM, "Chuck Swiger" <cswiger at mac.com> wrote:
>
>>On Jul 18, 2011, at 10:41 AM, David van Rensburg - PC Network wrote:
>>> Ive been having a problem with ipfw and nat. I can get nat to work but
>>>I want the following:
>>> My lan must only have access to outgoing port 80
>>
>>For web access to be useful for most cases, you also need to permit 443
>>for HTTPS.
>>
>>> I want to be able to allow some lan users access to ftp and outgoing
>>>3389 (remote desktop), but by default only port 80
>>> I have transparent proxy work in ipfw.
>>> I want to be able to limit outgoing and incoming to the freebsd server
>>>according to port.
>>> I want a default deny.
>>
>>You haven't mentioned anything about DNS, NTP, SMTP & POP3/IMAP.  For web
>>access or remote desktop to function, you'll need to permit DNS traffic
>>so they can find the machines they are connecting to.  And most networks
>>want to have network time and email working.
>>
>>> ANY help or point me in the right direction would be great. I have been
>>>googling for a week now and cant find anything similar. Most examples
>>>don't use a default deny and don't allow certain services to the lan
>>>users.
>>
>>Start with:
>>
>>  http://www.freebsd.org/doc/handbook/firewalls-ipfw.html
>>
>>...and the books recommended in /etc/rc.firewall:
>>
>># If you don't know enough about packet filtering, we suggest that you
>># take time to read this book:
>>#
>>#	Building Internet Firewalls, 2nd Edition
>>#	Brent Chapman and Elizabeth Zwicky
>>#
>>#	O'Reilly & Associates, Inc
>>#	ISBN 1-56592-871-7
>>#	http://www.ora.com/
>>#	http://www.oreilly.com/catalog/fire2/
>>#
>># For a more advanced treatment of Internet Security read:
>>#
>>#	Firewalls and Internet Security: Repelling the Wily Hacker, 2nd Edition
>>#	William R. Cheswick, Steven M. Bellowin, Aviel D. Rubin
>>#
>>#	Addison-Wesley / Prentice Hall
>>#	ISBN 0-201-63466-X
>>#	http://www.pearsonhighered.com/
>>#	http://www.pearsonhighered.com/educator/academic/product/0,3110,0201634
>>6
>>6X,00.html
>>
>>Regards,
>>-- 
>>-Chuck
>>
>>
>

More information about the freebsd-ipfw mailing list